AWS Certified Security – Specialty — Question 332

A company has decided to use AWS Key Management Service (AWS KMS) for all of its encryption keys. The company plans to create all of its keys as customer managed CMKs and will not import any encryption keys. The company must rotate its encryption keys once every 12 months.

Which solution will meet these requirements?

Answer options

• A. Change the customer managed CMK key policy to enable automatic key rotation.
• B. Use AWS managed CMKs instead of customer managed CMKs so that AWS will rotate the keys automatically.
• C. Invoke an AWS Lambda function regularly to rotate the backing key of each customer managed CMK.
• D. Enable automatic key rotation for each customer managed CMK after it has been created in AWS KMS.

Correct answer: D

Explanation

Enabling automatic key rotation on a customer managed CMK in AWS KMS automatically rotates the backing key material once every year (12 months), perfectly aligning with the company's requirements. Option B is incorrect because AWS managed CMKs are rotated every three years and do not meet the customer managed requirement. Options A and C are incorrect because key rotation is a built-in cryptographic key setting, not a policy configuration, and using AWS Lambda introduces unnecessary administrative overhead when a native solution exists.